Cyber security directive held up in face of ‘Wild West’ Internet

Disagreements between member states are holding up proposals for pan-European cyber security rules, whilst experts warn that the threat from an anarchic Internet is increasing.

The Latvian presidency of the European Council wants to begin negotiations on the proposed network and information security (NIS) directive on 30 April, but needs a mandate from the member states before it can do so.

The directive would oblige infrastructure-critical companies to report any cyber attacks, but the definition of what types of companies would be included within the scope of the reporting within the directive remains controversial.

A key outstanding issue focuses on the extent to which US giants such as Google, Amazon and Facebook – so called “over-the-top” companies – will be caught by the directive, and obliged to make reports in respect of cyber attacks.

More or less rigorous definition

EU diplomats told EURACTIV that Ireland, Sweden and the UK – all countries which host large US-based internet concerns – are leading efforts to minimise the involvement of such companies within the scope of the directive. Meanwhile France, Germany and Spain, amongst others, are opposed.

Latvia is keen to try and iron out a compromise before the end of its presidency, having taken the unusual step of earmarking 30 April to start trilogue negotiations between the EU Council, Parliament and Commission. The Latvian presidency has not pegged dates for other trilogues yet – an indication of how keen it is to agree the cyber security dossier.

Delays to the agreement of the NIS directive come against a backdrop of rising warnings from officials about European preparedness in the face of cyber attacks.

Udo Helmbrecht, the executive director of the EU’s Agency for Network and Information Security (ENISA) recently warned MEPs about the risk of a virtual “Wild West”.

“When you talk today about the Internet, it is the ‘Wild West’. Everyone can do what they want. There is no control, no regulation,” he told MEPs in an exchange of views held on 16 March in the European Parliament’s subcommittee on security and defence. “And the reason for this is: where is the governance structure?”

Member states keeping cards close to chest

ENISA’s role is to support the EU and the member states in enhancing and strengthening their capability and preparedness to prevent and detect cyber security incidents.

Problems of trust between member states were alluded to at the same meeting by Peter Round, the director of capability, armament and technology at the European Defence Agency.

Round explained that there were widespread reports that member states are concealing details of the development of offensive cyber security capabilities from one another.

“One of the issues with cyber is that it is in some ways the new gunpowder. When a member state gains a capability – certainly at first – they don’t want to share it, because some have it and some don’t, and we are seeing that some don’t want to share it, seeing it as a sovereign and national issue,” Round told MEPs.

Background

An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.

The European Commission shortly after proposed a Directive with measures to ensure harmonised network and information security across the EU.

The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”

Pan European? why would we give up our hand? The best way to defend yourself in the cyber world is to keep the fewest possible numbers in the loop. If we shared our intelligence the other members of the “Five Eyes” community would be less inclined to share intelligence with us. This really is something that should be a national competence. If the other 27 nations want to create their own intelligence service & create a cyber offensive capability to back up their defensive capabilities so be it but we cannot dilute what we have to join a European equivalent of the “Five Eyes”